w3c
Complete threat modelling analysis for different DID Resolution architectures
Could this be a separate WG note?
Should analyse the architectures provided as examples - #131
This was discussed during the #did meeting on 24 April 2025.
View the transcript
Complete threat modelling analysis for different DID Resolution architectures #132
<ottomorac> w3c/
Wip: yes, I think this came up on our discussion before.... The diagrams describe different architectures, it would be good to do an analysis of each and this could fit into the security considerations....
ack: JoeAndrieu
<Zakim> JoeAndrieu, you wanted to discuss threat modeling
JoeAndrieu: +1 to making it a separate note. We dont want to be concerned about making it concise
… I think it makes sense to look at each of those architectures and break down the threats
… I am keen to help with that work
… The plans for the security interest group is to great a guide for all groups to do some threat modelling as part of their spec development work
… Getting ahead of this is a good idea
markus_sabadello: Wondering if it is a separate note, why would we still have a security considerations in the main specification
… I would have thought this would go into the security consideration section
… Not really sure what the difference would be between the note and the security section
<Zakim> JoeAndrieu, you wanted to say good question
JoeAndrieu, thats a good question. Still trying to figure it out. I do think there are security considerations that would not be part of threat modelling
… Simone is still figuring out what threat modelling would mean for the W3C groups
… My invitation to the group is lets help figure out what this means by applying it to our spec
<ottomorac> Wip: yes my sense is that a separate document could then inform the security considerations , we can figure it out
This was discussed during the #did meeting on 24 July 2025.
View the transcript
Complete threat modelling analysis for different DID Resolution architectures #132
ottomorac: there is another issue.
ottomorac: should we merge these?
markus_sabadello: Will created that one.
… My recollection is that there is maybe an interest in describing the architectures in a general way (as it is now) but maybe also concrete examples.
… This feels like adding the specific examples.
ottomorac: sounds like this is more specific for each architecture.
… this is also blocked by having more guidance
JoeAndrieu: this is not blocked by Simone's guidance.... I think the security considerations section does need to wait, but the let's dive into the diagrams....
<Wip> Yep I think so. We first select the architectures, then model the threats
<manu> agree ^
This was discussed during the #did meeting on 16 October 2025.
View the transcript
Complete threat modelling analysis for different DID Resolution architectures #132
<ottomorac> w3c/
ottomorac: Next issue about threat modelling analysis
<ottomorac> Joe had mentioned this is not blocked by Simone's guidance, we have to first select the architectures, then model the threats. I know that Manu has also recently been experimenting with some LLM generated threat models.
ottomorac: We need to decide as a group what we are going to about the threat modelling for DID resolution
manu:
manu: I was not intending to do this threat modelling work
… Just playing around and exploring, so we can get something to Simone fairly quickly that is a starting place
… I took the research mode for some of the LLMs, fed in ReSpec, DID Core, CID and some threat modelling work from Joe and Eric.
… Then I asked it to generate a threat model. It produced this document almost perfectly
… It is decent, has no errors but needs thorough review
… This is a decent summary and starting place
… There are some downsides. But it managed to produce correct ReSpec. That is a good success.
… It also has in its memory, all of the specs we have published as Recs
… It integrated other writing in blogs etc. Also it used Stride and other frameworks
… It managed to create its own diagrams, with boundaries, storage, processes
… Everything was labelled
… It listed out all components, threat boundaries in tables
… It identified entities, processes, data flows relevant to the DID ecosystem
… Then reviewed architectural considerations and the threats
… Some of the threats make no sense really. It requires humans to go in and really pay attention. LLM can be persuasive and still wrong
… It has attacks and responses for a given threat. and identifies the analysis frameworks that it used
ottomorac: Which model was used?
manu: All of the models. Primarily Claude Sonnet 4.5
… Used different models to spot check the outputs
TallTed: I heard you mention about color coding. Accessibility will have concerns if we use Color coding for anything
… Different fill pattern and gradations make a different
<pchampin> +1, I was about to mention that
JoeAndrieu: Yeah, so manu this is very interesting work. Would love to see the prompts that produced this
… Not a big fan of this. As you described. LLMs talk reasonably and are convincing, but then you have to think deeply to evaluate
… This document could be a distraction. We could spend a long time arguing about it. I think it is often better to start from scratch then bring in a LLM
… We have quite a bit of work to do to understand what threats are relevant
… The goal is not to have an exhaustive list of all the threats, but to curate a list of the most salient threats. Things that implementers should be considering when implementing the spec
… It is cognitively dangerous to have too many threats
… At one point in previous work we had 77 threats, we had to do a lot of work to reduce the threats to a more salient sety
<Zakim> swcurran, you wanted to ask about the prompt
JoeAndrieu: I will take this as a starting point and provide feedback
swcurran: I was also interesting in the prompts around how this was created
… I am going to say a similar thing with Joe, but on a more positive side
… I find having the structure and the data there very helpful. Hundred percent agree, this needs to be curated first. Having a broad group look at this document will be time consuming. Should have a small group first review this document
ottomorac: Not meaning to put you on the spot manu, just wanted to share with the group
manu: +1 to everything that has been said. I don;t think we would ever push this out before a thorough review by people who understand this stuff
… Agree, we need to refine and delete things that make this unreadable
… I did not have it read the DID resolution spec, because I did not feel it was complete enough
… Agree that the set of threats is too much. Needs thorough review. Do not want to overwhelm the humans with reams of LLM generated content
… It can be verbose and distracting
… What we are trying to do is create a document that a human can read through and get a good idea of what the threats are
… Happy to get rid of the entire document and start again
… There could be ~100 prompts that generated this. A lot of dead ends
… Found that if you can start from a structured document, you get much better structured output than asking for it to invent something from scratch
… For example, we could provide the constraints and threats we cared about.
… +1, I was pleasantly suprised by this output. This feels like a big improvement on what it has previously been able to do
… The goal was to help us generate these things in a useful way so we can address Simone's request to a threat model in a timely manner
… This was an experiment. I found it useful
ottomorac: This is using research mode?
manu: It was all over the map. Many prompts to produce and refine
… I will try to share the most useful prompts
Wip: What does the group think of the work of doing the threat model?
Wip: perhaps we do the work in smaller group?
swcurran: to clarify, one person to go through the LLM content. Then a smaller group could work on this
swcurran: I think that would be time well spent to decide if we throw it away, or keep it and iterate
ottomorac: So evaluate what we have for DID core, then decide if we do something similar
… for DID resolution
<Zakim> manu, you wanted to contradict what he just said :P
ottomorac: We just need some more time
manu: Now I feel bad, because I have created work for Joe
… Not the intent to do this
… I was concerned that we were not going to do the work at all
… I think we have higher priorities at the moment. Like just getting DID resolution done
… I wanted to send a signal to Simone, that we don't have the bandwidth
… This was an attemt to see if there was some way to get something done
… I dont want to put work on for Joe.
JoeAndrieu: This is an interesting experiment.
… Not too worried about the extra work
… This is something that we can move forwards, I need to dive into this
… I do think this is very similar for the threat modelling for DID resolution
<Zakim> manu, you wanted to volunteer to at least get the prompts for Joe/the group.
JoeAndrieu: Not too worried that this is more work. I think it will be useful
manu: I appreciate that JoeAndrieu
… I will share the prompts with you and the group
Wip: Are we thinking that we are going to create separate threat model for DID core and for DID resolution? Do we want a single one for the DID ecosystem?
<swcurran> +1 to Manu -- 1 threat model
manu: If it takes three hours to put together a threat model, not too concerned about that although it does add work for humans to review and understand. My intention was to model the enitre DID ecosystem
… I did not include DID resolution, because I did not want to include unfinished work
… Would be easy to add it in
… A specific DID resolution threat model, would all us to focus specifically on threats relevant to that spec. E.g. if you are implementing a DID resolver
We do not yet have the guidance around threat modelling to complete this correctly before CR. We will address the threat modelling during CR.
This was discussed during the #did meeting on 11 November 2025.
View the transcript
w3c/did-resolution#132
JoeAndrieu: Next steps are to talk w/ Simone / PA / Joe to figure out how to proceed
wip: next up threat modeling issue
JoeAndrieu: let's just tag this as "During CR"
wip: maybe PA can talk about getting an extension
wip: there remain 4 discuss issues and some related to test suite
manu: There is the DID threat model...
JoeAndrieu: I don't think that's usable
wip: that's it. To break